System and method for filtering network traffic
First Claim
1. A method comprising:
- applying an access control rule to a first message, whereinthe first message comprises message information,the message information is used to select the access control rule,the access control rule is calculated using protocol status information,the protocol status information is obtained in response to one or more protocol messages sent between at least one client and a protocol server,the protocol status information comprises protocol information generated by the protocol server,the one or more protocol messages are conveyed according to a protocol used to assign network addresses to clients, andthe access control rule is stored in an access control list;
determining whether to perform one or more security actions, whereinthe determining is performed in response to the applying, andthe access control rule indicates whether to perform the one or more security actions; and
performing a first security action for the first message, whereinthe access control rule indicates performance of the first security action; and
selecting to unicast the first message instead of forwarding the first message normally, whereinthe first message would normally be broadcast, multicast, or flooded to multiple recipients, andthe selecting to unicast the first message is performed in response to a determination that the first message comprises a first protocol message from the protocol server,updating a binding table entry in response to detecting the one or more protocol messages, whereinthe binding table entry comprises the protocol status information corresponding to the client, andthe protocol status information identifies an Internet Protocol (IP) address of the client, a Media Access Control (MAC) address of the client, and an interface coupled to the client, andallocating an entry in the access control list to store access control information, whereinthe access control information encodes a second access control rule,the second access control rule requires that a Dynamic Host Configuration Protocol (DHCP) message received via the interface identified in the protocol status information be processed by a snooping agent, andthe snooping agent is configured to update information in the binding table in response to processing the DHCP message.
1 Assignment
0 Petitions
Accused Products
Abstract
Protocol status information is used to perform traffic filtering by dropping messages that are not consistent with the protocol status information. In one embodiment, a method involves comparing message information and protocol status information. The message information is associated with a first message. The protocol status information is obtained in response to one or more second messages, which are conveyed according to a protocol used to assign network addresses to clients. The method also involves determining whether to discard the first message, based on an outcome of the comparison of the message information and the protocol status information. For example, it can be determined that the first message should be discarded, if the message information does not match the protocol status information.
27 Citations
56 Claims
-
1. A method comprising:
-
applying an access control rule to a first message, wherein the first message comprises message information, the message information is used to select the access control rule, the access control rule is calculated using protocol status information, the protocol status information is obtained in response to one or more protocol messages sent between at least one client and a protocol server, the protocol status information comprises protocol information generated by the protocol server, the one or more protocol messages are conveyed according to a protocol used to assign network addresses to clients, and the access control rule is stored in an access control list; determining whether to perform one or more security actions, wherein the determining is performed in response to the applying, and the access control rule indicates whether to perform the one or more security actions; and performing a first security action for the first message, wherein the access control rule indicates performance of the first security action; and selecting to unicast the first message instead of forwarding the first message normally, wherein the first message would normally be broadcast, multicast, or flooded to multiple recipients, and the selecting to unicast the first message is performed in response to a determination that the first message comprises a first protocol message from the protocol server, updating a binding table entry in response to detecting the one or more protocol messages, wherein the binding table entry comprises the protocol status information corresponding to the client, and the protocol status information identifies an Internet Protocol (IP) address of the client, a Media Access Control (MAC) address of the client, and an interface coupled to the client, and allocating an entry in the access control list to store access control information, wherein the access control information encodes a second access control rule, the second access control rule requires that a Dynamic Host Configuration Protocol (DHCP) message received via the interface identified in the protocol status information be processed by a snooping agent, and the snooping agent is configured to update information in the binding table in response to processing the DHCP message. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 50, 51, 52, 53, 54, 55, 56)
-
-
9. A network device comprising:
- a physical interface configured to receive a first message;
a filtering module, wherein the filtering module is configured to apply an access control rule to the first message, the first message comprises message information, the filtering module is configured to select the access control rule using the message information, and the filtering module is configured to determine whether to perform one or more security actions, in response to applying the access control rule to the first message, and perform a first security action for the first message, wherein the access control rule indicates performance of the first security action, and the filtering module is configured to select to unicast the first message instead of forwarding the first message normally, wherein the first message would normally be broadcast, multicast, or flooded to multiple recipients, and the selecting to unicast the first message is performed in response to a determination that the first message comprises a first protocol message from the protocol server; and a binding table, wherein the binding table is configured to store protocol status information, the protocol status information is obtained in response to one or more protocol messages sent between at least one client and a protocol server, the protocol status information comprises protocol information generated by the protocol server, and the one or more protocol messages are conveyed according to a protocol used to assign network addresses to clients; and an access control list, wherein the access control rule is stored in the access control list, the access control rule is calculated using the protocol status information, and the access control rule indicates whether to perform the one or more security actions; a snooping agent, wherein the snooping agent is configured to update a binding table entry in response to detecting the one or more protocol messages, the binding table entry comprises the protocol status information corresponding to the client, and the protocol status information identifies an Internet Protocol (IP) address of the client, a Media Access Control (MAC) address of the client, and an interface coupled to the client, an access control rule update module, wherein the access control rule update module is configured to allocate an entry in the access control list to store access control information, the access control information encodes a second access control rule, the second access control rule requires that a Dynamic Host Configuration Protocol (DHCP) message received via the interface identified in the protocol status information be processed by the snooping agent, and the snooping agent is configured to update information in the binding table in response to processing the DHCP message; and a memory having stored thereon the filtering module, snooping agent, the access control module and the binding table. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- a physical interface configured to receive a first message;
-
17. A system comprising:
-
means for applying an access control rule to a first message, wherein the first message comprises message information, and the means for applying comprises means for selecting the access control rule using the message information; means for obtaining protocol status information in response to means for detecting one or more protocol messages sent between at least one client and a protocol server, wherein the protocol status information comprises protocol information generated by the protocol server, and the one or more second messages are conveyed according to a protocol used to assign network addresses to clients; means for storing access control rules, wherein the means for storing access control rules stores the access control rule; means for calculating the access control rule using the protocol status information, wherein the access control rule indicates whether to perform one or more security actions; means for storing the protocol status information; means for determining whether to perform the one or more security actions, in response to the means for applying the access control rule to the first message; means for performing a first security action for the first message, wherein the access control rule indicates performance of the first security action; and means for selecting to unicast the first message instead of forwarding the first message normally, wherein the first message would normally be broadcast, multicast, or flooded to multiple recipients, and the selecting to unicast the first message is performed in response to a determination that the first message comprises a first protocol message from the protocol; means for updating a binding table entry in response to the means for detecting the one or more protocol messages, wherein the binding table entry comprises the protocol status information corresponding to the client, and the protocol status information identifies an Internet Protocol (IP) address of the client, a Media Access Control (MAC) address of the client, and an interface coupled to the client; means for allocating an entry in the means for storing access control rules to store access control information, wherein the access control information encodes a second access control rule, the second access control rule requires that a Dynamic Host Configuration Protocol (DHCP) message received via the interface identified in the protocol status information be processed by the means for updating the binding table entry. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
-
25. A computer readable non-transitory storage medium comprising program instructions executable to:
-
apply an access control rule to a first message, wherein the first message comprises message information, the message information is used to select the access control rule, the access control rule is calculated using protocol status information, the protocol status information is obtained in response to one or more protocol messages sent between at least one client and a protocol server, the protocol status information comprises protocol information generated by the protocol server, the one or more protocol messages are conveyed according to a protocol used to assign network addresses to clients, and the access control rule is stored in an access control list; determine whether to perform one or more security actions, in response to applying the access control rule to the first message, wherein the access control rule indicates whether to perform the one or more security actions; perform a first security action for the first message, wherein the access control rule indicates performance of the first security action; and
select to unicast the first message instead of forwarding the first message normally, wherein the first message would normally be broadcast, multicast, or flooded to multiple recipients, andthe selecting to unicast the first message is performed in response to a determination that the first message comprises a first protocol message from the protocol server; update a binding table entry in response to detecting the one or more second messages, wherein the binding table entry comprises the protocol status information corresponding to the client, and the protocol status information identifies an Internet Protocol (IP) address of the client, a Media Access Control (MAC) address of the client, and an interface coupled to the client; allocate an entry in the access control list to store access control information, wherein the access control information encodes a second access control rule, the second access control rule requires that a Dynamic Host Configuration Protocol (DHCP) message received via the interface identified in the protocol status information be processed by a snooping agent, and the snooping agent is configured to update information in the binding table in response to processing the DHCP message. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32)
-
-
33. A method comprising:
-
applying an access control rule to a first message, wherein the first message comprises message information the message information is used to select the access control rule, the access control rule is calculated using protocol status information, the protocol status information is obtained from one or more protocol messages sent between at least one client and a protocol server, the protocol status information comprises protocol information generated by the protocol server, the one or more protocol messages are conveyed according to a protocol used to assign a network address to a client, and the access control rule is stored in an access control list; determining whether to perform one or more security actions, wherein the determining is based on a result of the applying, and the access control rule indicates whether to perform the one or more security actions; performing a first security action for the first message, wherein the access control rule indicates performance of the first security action; and
selecting to unicast the first message instead of forwarding the first message normally, wherein the first message would normally be broadcast, multicast, or flooded to multiple recipients, and the selecting to unicast the first message is performed in response to a determination that the first message comprises a first protocol message from the protocol server updating a binding table entry in response to detecting the one or more protocol messages, wherein the binding table entry comprises the protocol status information corresponding to the client, and the protocol status information identifies an Internet Protocol (IP) address of the client, a Media Access Control (MAC) address of the client, and an interface coupled to the client;allocating an entry in the access control list to store access control information, wherein the access control information encodes a second access control rule, the second access control rule requires that a Dynamic Host Configuration Protocol (DHCP) message received via any one of a plurality of interfaces be processed by a snooping agent, and the snooping agent is configured to update information in the binding table in response to processing the DHCP message. - View Dependent Claims (34, 35, 36)
-
-
37. A network device comprising:
- a physical interface;
a binding table, whereinthe binding table is configured to store protocol status information, the protocol status information is obtained from one or more protocol messages sent between at least one client and a protocol server, the protocol status information comprises protocol information generated by the protocol server, and the one or more protocol messages are conveyed according to a protocol used to assign a network address to a client; a filtering module coupled to the binding table, wherein the filtering module is configured to apply an access control rule to a first message, the first message comprises message information the filtering module is configured to select the access control rule using the message information, and the filtering module is configured to determine whether to perform one or more security actions, based on a result generated by applying the access control rule to the first message, perform a first security action for the first message, wherein the access control rule indicates performance of the first security action, and the filtering module is configured to select to unicast the first message instead of forwarding the first message normally, wherein the first message would normally be broadcast, multicast, or flooded to multiple recipients, and the selecting to unicast the first message is performed in response to a determination that the first message comprises a first protocol message from the protocol server; and
an access control list, wherein the access control rule is stored in the access control list,the access control rule is calculated using the protocol status information, and the access control rule indicates whether to perform the one or more security actions;
a snooping agent, whereinthe snooping agent is configured to update a binding table entry in response to detecting the one or more protocol messages, the binding table entry comprises the protocol status information corresponding to the client, and the protocol status information identifies an Internet Protocol (IP) address of the client, a Media Access Control (MAC) address of the client, and an interface coupled to the client; an access control rule update module, wherein the access control rule update module is configured to allocate an entry in the access control list to store access control information, the access control information encodes a second access control rule, the second access control rule requires that a Dynamic Host Configuration Protocol (DHCP) message received via any one of a plurality of interfaces be processed by the snooping agent, and the snooping agent is configured to update information in the binding table in response to processing the DHCP message; and a memory having stored thereon the filtering module, snooping agent, the access control module and the binding table. - View Dependent Claims (38, 39, 40, 41)
- a physical interface;
-
42. A system comprising:
-
means for applying an access control rule to a first message, wherein the first message comprises message information, and the means for applying comprises means for selecting the access control rule using the message information; means for obtaining protocol status information from one or more second messages sent between at least one client and a protocol server, wherein the protocol status information comprises protocol information generated by the protocol server, and the one or more second messages are conveyed according to a protocol used to assign network addresses to clients; means for storing access control rules, wherein the means for storing access control rules stores the access control rule; means for calculating the access control rule using the protocol status information, wherein the access control rule indicates whether to perform one or more security actions;
means for storing the protocol status information;
means for determining whether to perform the one or more security actions, based on a result of the means for applying;means for performing a first security action for the first message, wherein the access control rule indicates performance of the first security action; and
means for selecting to unicast the first message instead of forwarding the first message normally, wherein the first message would normally be broadcast, multicast, or flooded to multiple recipients, and the selecting to unicast the first message is performed in response to a determination that the first message comprises a first protocol message from the protocol server;means for updating a binding table entry in response to means for detecting the one or more protocol messages, wherein the binding table entry comprises the protocol status information corresponding to the client, and the protocol status information identifies an Internet Protocol (IP) address of the client, a Media Access Control MAC) address of the client, and an interface coupled to the client; means for allocating an entry in the means for storing access control rules to store access control information, wherein the access control information encodes a second access control rule, the second access control rule requires that a Dynamic Host Configuration Protocol (DHCP) message received via any one of a plurality of interfaces be processed by the means for updating the binding table entry. - View Dependent Claims (43, 44, 45)
-
-
46. A computer readable non-transitory storage medium comprising program instructions executable to:
-
apply an access control rule to a first message, wherein the first message comprises message information the message information is used to select the access control rule, the access control rule is calculated using protocol status information, the protocol status information is obtained from one or more protocol messages sent between at least one client and a protocol server, the protocol status information comprises protocol information generated by the protocol server, the one or more protocol messages are conveyed according to a protocol used to assign a network address to a client, and the access control rule is stored in an access control list; and
determine whether to perform one or more security actions, based on a result generated by applying the access control rule to the first message, wherein the access control rule indicates whether to perform the one or more security actions;
perform a first security action for the first message, whereinthe access control rule indicates performance of the first security action; and
select to unicast the first message instead of forwarding the first message normally, wherein the first message would normally be broadcast, multicast, or flooded to multiple recipients, and the selecting to unicast the first message is performed in response to a determination that the first message comprises a first protocol message from the protocol server;update a binding table entry in response to detecting the one or more second messages, wherein the binding table entry comprises the protocol status information corresponding to the client, and the protocol status information identifies an Internet Protocol (IP) address of the client, a Media Access Control (MAC) address of the client, and an interface coupled to the client; allocate an entry in the access control list to store access control information, wherein the access control information encodes a second access control rule, the second access control rule requires that a Dynamic Host Configuration Protocol (DHCP) message received via any one of a plurality of interfaces be processed by a snooping agent, the snooping agent is configured to update information in the binding table in response to processing the DHCP message. - View Dependent Claims (47, 48, 49)
-
Specification